Analysis
-
max time kernel
148s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
28/09/2024, 23:55
General
-
Target
838771a802cff34cdfb9b04c4fa14eb3bd796341696746e3fe8f48b015b10d7e.exe
-
Size
2.8MB
-
MD5
a8fe411c68adcd42d0270b015dd36dfd
-
SHA1
d446c7dc5cd155b66bb7eff4b687cdbb0e5b28f0
-
SHA256
838771a802cff34cdfb9b04c4fa14eb3bd796341696746e3fe8f48b015b10d7e
-
SHA512
e6be91ac4d23f1efaf61b1398ea15a3d252f8df2e4e673d7bb385b667a26e3092a50d35a4e13985f722ad10a916df3e928f1d1bf3e5c2671bfe3c63bf0c1f8dd
-
SSDEEP
49152:nF+P9VgqrzbfDULyOPtjN/lXekpomFsEB7yOrRBST1WjyK:F+PfRELyOhN/lXe4FsNyOWWK
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 5 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\838771a802cff34cdfb9b04c4fa14eb3bd796341696746e3fe8f48b015b10d7e.exe"C:\Users\Admin\AppData\Local\Temp\838771a802cff34cdfb9b04c4fa14eb3bd796341696746e3fe8f48b015b10d7e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JGXBBS.OTFQ"C:\Users\Admin\AppData\Local\Temp\JGXBBS.OTFQ"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh winsock reset3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5c3adbb35a05b44bc877a895d273aa270
SHA18afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc
-
Filesize
2.8MB
MD5741ae879f5cfe6870160c878fcaf37bd
SHA1a26567240ed22bd375127bdfd08748a77b1d12d8
SHA2562392f6dc90a3d577437c9ed348b911fc6a1aa1cbafea781a607417a933de1001
SHA51213faa19cd240af8545b205f2cfb20fcfd4951024dc41179ca467a2c3c107f67db407c70354b82117a976b28f122c8c513c6336359f3ba21519f83ae2fdcaa121
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB